It may be desired to provide encryption for data transported across a synchronous wireless link, in particular because of the inherent vulnerability of wireless links to interception. A synchronous wireless link may, for example, take the form of a microwave link, which may have a range of several kilometres between antenna towers, as a point to point link between two wireless stations. A synchronous wireless link may also take the form of a point to multi-point link, for example connecting a master wireless station to a number of slave wireless stations. The wireless stations on the link transmit and receive in a connection-oriented synchronous manner, for example according to a predetermined time division duplex and time division multiplex frame sequence, in which the timing of the transmissions from each wireless station is determined with respect to a common time reference. Typically transmissions occur within a designated timeslot, irrespective of whether there is payload data to transfer. This is in contrast to a packet oriented data network such as a TCP/IP network, in which packets may be transmitted opportunistically between a server and a client according to the demands of payload traffic, each packet typically having a header indicating its destination.
One known approach to providing encryption is to encrypt the MAC layer of a synchronous wireless link between wireless stations. The wireless stations may be controlled by the same operator, and the encryption and decryption may use a cryptographic key configured at both ends of the link by the operator. The cryptographic key may be a pre-shared secret key which is loaded by the operator into each station, for example by a site visit. However, the use of pre-shared keys may be cumbersome in a point-to-multipoint link, in particular if slave units are to be deployed in an ad-hoc fashion. Furthermore, replacing keys periodically may become onerous, involving either a site visit or a means of securely updating keys remotely.
Alternatively, encryption may be provided by sending a data stream comprising conventional encrypted datagrams over a wireless link to provide a secure data connection. It is well known to encrypt payload traffic in an asynchronous data network using a cryptographic protocol, such as the Transport Layer Security (TLS) protocol. This may provide a secure connection between two hosts in a computer network. For example secure connections may be provided between a web browser and a web server, providing encrypted datagrams which carry encrypted data. The encrypted data is encapsulated within packets having unencrypted MAC headers such as TCP/IP headers. The headers may be read by routers in the network to route the packets to the correct destination, but the data within the packets forms a secure connection. However, this approach is vulnerable to traffic analysis to determine characteristics or routing details of payload data.